An app could also intercept 2FA by intercepting the SMS that contains the code, could it not? (Assuming it acquired such privileges during installation.) If true, this is kind-of a major problem.